Skip to content

Fix genesis receipt verification#379

Merged
GsCommand merged 1 commit into
mainfrom
codex/fix-genesis-receipt-verification-failure
May 29, 2026
Merged

Fix genesis receipt verification#379
GsCommand merged 1 commit into
mainfrom
codex/fix-genesis-receipt-verification-failure

Conversation

@GsCommand

@GsCommand GsCommand commented May 29, 2026

Copy link
Copy Markdown
Contributor

Motivation

  • Genesis receipts generated chain roots and hashes in a way that made them fail verification: the verifier treated genesis receipts like runtime receipts and recomputed the wrong canonical payload, and the old chain-root assignment was circular and unverifiable.
  • The intent is to ensure newly generated genesis receipts verify immediately via the same verifyReceipt logic used by /api/verify-id without weakening cryptographic checks.

Description

  • Added genesis-aware canonical payload functions and detection in lib/receiptSigning.js so genesis receipts are canonicalized over genesis fields and runtime receipts keep the existing six-field payload.
  • Changed lib/receipts/create-genesis-receipt.js to compute a non-circular chain_root as sha256:<genesis_anchor_hash> where the anchor hash excludes the derived chain_root, then sign the canonical genesis payload that includes that resolved chain_root.
  • Updated lib/verifyReceipt.js to validate genesis-specific schema invariants, verify the genesis chain-root anchor, and expose detailed debug flags (receipt_shape_matched, proof_shape_matched, chain_root_matched) while keeping all existing ENS, kid, and Ed25519 checks.
  • Documented the non-circular genesis chain-root rule in public/schemas/trust-verification/README.md and updated per-verb receipt schema descriptions.
  • Added and updated tests in tests/genesis-receipt.test.js and tests/api-verify-id.test.js to cover: immediate verification of generated genesis receipts, /api/verify-id returning VERIFIED for stored genesis receipts, tampering with pinned card CID/hash returning INVALID, tampering with chain fields returning INVALID, and unknown receipt id behavior.

Testing

  • Ran npm test and all tests passed (125 tests, 0 failures).
  • Ran npm run check:links and it completed with all local links resolved.
  • Ran cd examples/webhook-auto-verify && npm run check and it passed.
  • Added regression tests that assert generated genesis receipts verify as VERIFIED and tamper cases return INVALID (all new tests passed).

Codex Task

@vercel

vercel Bot commented May 29, 2026
edited
Loading

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
commandlayer-commandlayer-org Ready Ready Preview, Comment May 29, 2026 12:21am
commandlayer-org Ready Ready Preview, Comment May 29, 2026 12:21am
commandlayer-org111 Ready Ready Preview, Comment May 29, 2026 12:21am

Request Review

@GsCommand GsCommand merged commit 6a1bc98 into main May 29, 2026
5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

codex

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@GsCommand